According to a recent study, the average direct cost of a cyber-attack resulting in a security breach at a small business is approximately $38,000. Downtime ($23,000), lost business opportunities ($5,000), and the service providers the company will need to hire to deal with the cybersecurity breach are included in this figure. Small businesses pay an average of about $10,000 in professional services which include hiring an IT security and risk management team, auditors, lawyers, accountants, and public-relations consultants. The actual direct cost to a small business such as a dental practice may not be exactly $38,000. However, when adjusted for scale, the financial expense to recover from a security breach could be even more impactful.
These expenses are the visible costs of a cyber-attack. Other hidden but real costs are often overlooked, underestimated, or unaccounted for. An iceberg illustrates the relationship between the “above the surface” and the “below the surface” costs. It is the hidden 90% of the iceberg that has the greatest potential to sink ships.
Hidden Costs of a Cyber-Attack on a Dental Practice
Common perceptions of cyber-attacks are mostly shaped by what companies and businesses are required to report publicly. Instances of cybersecurity breaches of which the public is most aware involve payment data, personal health information (PHI), and the theft of personally identifiable information (PII). Other instances of security breaches rarely attract public attention. These cases include espionage, intellectual property (IP) theft, attacks on core operations, destruction of data, or attempts to disable critical infrastructure. With the prevalence and impact of cybersecurity breaches expanding, business owners and professionals such as dentists and orthodontists must be acutely aware not only of direct impact costs to their businesses but also the hidden costs associated with a cybersecurity breach.
Increased insurance premiums
An area of expense that is indirect but associated with a cyber breach has to do with insurance premiums. Insurance premium increases are the extra costs an insured business incurs to purchase or renew cyber insurance policies after a cyber incident.
Factors influencing the premium amount include:
- Information concerning the circumstances surrounding the incident and unmitigated culpability
- Intentions to improve the security solution
- Anticipated litigation
- Assumptions regarding the policy holder’s level of cybersecurity maturity
Increased costs to borrow funds
Should there be a drop in credit rating following a cyber incident, the victimized business will face higher interest rates for borrowed capital, whether it is raising debt or renegotiating existing debt. This situation could directly impact plans and efforts to expand a dental practice to multiple locations. The practice is now perceived as a higher-risk borrower following a cybersecurity incident. The additional interest expense paid over time could be staggering. It is virtually impossible to calculate the lost profit resulting from the failure to scale to meet market demand due to the inability to obtain reasonable interest rates on investment capital.
Disruptions or destruction of business operations
This highly variable cost includes losses related to manipulation of or changes in normal business operations and expenses associated with rebuilding operational capabilities. Victims of a cyber-attack will need to repair facilities and equipment, build temporary infrastructure, redirect resources, or increase existing resources to replace systems that were disabled. In a dental practice, disruption in patient flow for any reason directly and immediately impacts cash flow.
Customer relationship losses
Quantifying the loss of clients or customers after a breach can be very difficult. Economists and marketing teams address this issue by assigning a value to each client or customer to quantify how much the business must invest to regain particular customers. Dental practices acquire loyal customers and build relationships that last a lifetime. Losing a patient certainly carries a monetary loss, but the relational expense could be even more painful.
Value of unrealized revenue from lost contracts
The fallout from a cyber-attack could impact present and future contracts for goods and services for any business, including dental practice. Projections are only estimates, but these estimates are grounded in real numbers and trends. Projecting future losses or unfulfilled gains could exponentially increase the cost of a cyber-attack. The value of lost contract revenue, such as Invisalign, braces, and retainers, includes revenue, income, and future opportunities that are lost when a contract is terminated following a cyber incident.
Devaluation of trade name
To accurately assess the financial impact on the value of a trade name, the pre-attack and post-attack value must be calculated. This cost could approach the value of the practice itself, especially if the brand has an identity that transcends the dentist’s name. If the victimized dental practice is ever put up for sale, the damaged brand or trade name could be an expensive liability.
Loss of intellectual property
The loss of intellectual property (IP) is an intangible cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary or confidential information. The loss of IP can result in the loss of competitive advantage, revenue losses, and potentially irreparable economic damage to the dental practice. Just a few examples of IP includes patents, copyrights, designs, trademarks, and trade secrets. In larger, multi-dentist, multi-location, or even franchised locations, the loss of IP could dissolve a lifetime of effort and investment for all parties involved.
A cyber-attack inflicts more than stress and financial pain. It also damages a dental practice’s reputation. The long-term value of reputation and perception in the dental industry is all but impossible to tangibly calculate. What is the value of a good name and a solid reputation? It is priceless. Cyber-attacks wound deeper than dollars. To mitigate a negative impact on reputation, managing risks and vulnerability to cyber attackers must be a central focus in order to ensure a dental practice’s reputation remains intact.
The impacts of a cyber-attack can affect a business in various ways depending on the nature and severity of the attack. No business, not even a dental practice, is immune. Thankfully, outsourced IT managed services are a simple, affordable solution to protect dental practice against the painful effects of a successful cyber-attack.